forgejo runner token as secret setup

2024-11-26 12:16:29 +02:00 · 2024-11-26 12:16:29 +02:00 · e9f42a5fd3
commit e9f42a5fd3
parent 0f235b7ca0
4 changed files with 11 additions and 4 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,7 +1,7 @@
 keys:
  - &personal age12h0ekuyvy244etehyeymz2pt9xxjv7hpe2revateje00xrzj95fqvp2r82
 creation_rules:
-  - path_regex: secrets.yaml$
+  - path_regex: .*secrets.yaml$
    key_groups:
    - age:
      - *personal
--- a/secrets.yaml
+++ b/secrets.yaml
@ -20,6 +20,8 @@ forgejo_db_pass: ENC[AES256_GCM,data:/whBxapqWGNMynXCXVxrQv/XS6ivdTUE6YkuKZ2Rk9k
 postgresdb_admin_password: ENC[AES256_GCM,data:DopfWHTOAwihPa9+197pX3TE03dqWST/7+o=,iv:O9dzjYs9A1vBSp17Kyiz41KllUvpUORCmag0AYe8MNA=,tag:FS0v5us/ANMXweXrSIH2xQ==,type:str]
 murmur_welcome_message: ENC[AES256_GCM,data:k05ez0/raIbgBMu90NrAg5O1nkucDibQXdj8U+TXO3baH+fTexMZBfVqLvRkxQUp6P4tuTUiDaHORO1ezzF52Wfk9NjqMZyYowA62WRmqOoMh0cCUJKetMqly4/eS3/7kYoS9HJ0CP8ANpebUj0CiVBT0H4vNyg0pews3514dciVPN1++93II8IzSx+wXnivns/32ki0YmZrjhTREA==,iv:7scQhjy2uc0FL/26k3FbarA9Nm8GtQCqD7kod4lOlwM=,tag:wSm+6aodL+FD3L4C2+nzgg==,type:str]
 murmur_login_password: ENC[AES256_GCM,data:Fh6XjSxiLEP1jE56D9JRv0TokYOjEafeDkrh9/x5f+Rv4qgH18k54Le4dyl3EzNQ,iv:QbAPJx4xe2DT7AhXbOvQto4M6ICKVlJ/BXoP3ORjd4o=,tag:clHHTrQdi1bzA21gjY7mSg==,type:str]
+forgejo_runner_glucose_token: ENC[AES256_GCM,data:LV9fSGUqK3vn+uIk62CY3W0+9MzGuO2I+MwvqcP/wxzKxgz6q1Ytdw==,iv:fGGyFPuCc76qstvo/tfNciWBW5CNJIgb8CFvEcXBQl8=,tag:dJ1aTgHzrutryhKyPrBx+A==,type:str]
+forgejo_runner_fructose_token: null
 sops:
    kms: []
    gcp_kms: []
@ -35,8 +37,8 @@ sops:
            NHg3M2l5MWY2alpHdVhIbE5PQ3VxeW8Kr+o5K2EIrPSfIFBWK68mWl4lWJooZxF/
            vKsU99C2iIsbX/eTF2uNQqeDkOqy5egKCG42xikwycGFO/gbnCDIdw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-22T06:13:57Z"
-    mac: ENC[AES256_GCM,data:vBEGgzmUZpc67qwPmXNW30IVFBrYNMxgZHF36D1igbivVKa+JFHYn/V4EQuKjREhbXAo9NJlCePz5j0JdDXH5IekZjIPzFlIG+ex9SVwSt60xilk0+k05tnMbNnid8L0lhmb3+pbzieyjPhiRYLjzMFsks5dtr5jTCrIp2JlULA=,iv:3LvtP1GTOfHh6wO90cYFb8GgHEJI0lp2cY3nSZ7Oqho=,tag:wUNfx7cubw2vtAKtUfgblw==,type:str]
+    lastmodified: "2024-11-26T10:14:26Z"
+    mac: ENC[AES256_GCM,data:apt7XQhL7LgHG3vhx4TM0TjoOemmo2XzFRa3BdmGpZ3qK3bIwaetxyD2+qnb25LOukjkyNTdf8rc8e6ALpepVBTENl+vK/iNwdlL5xGg3WZb7WiqnQ+8ZS/iZ0AY6xz83kbLZRsbqsgLTd7OU24Ds7FL+lSConpjxVkOvn5/Abo=,iv:/LKyr6eqjt16GLArlj4/2JKqyKSK3V6/vKMRCGJ+xrI=,tag:FX1elucFIRRsd2VrTCtnrw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/services/forgejo/runner.mod.nix
+++ b/services/forgejo/runner.mod.nix
@ -10,7 +10,7 @@
            labels = [ ];
            name = config.networking.hostName;
            settings = { };
-            tokenFile = "";
+            tokenFile = config.sops.templates."forgejo_runner.env.secrets.yaml".path;
            url = "https://git.collective-conciousness.monster";
          };
        };
--- a/sops.mod.nix
+++ b/sops.mod.nix
@ -33,6 +33,11 @@
      }
    )
  ];
+  sucrose.modules = [
+    ({
+      sops.secrets.forgejo-runner-token = { };
+    })
+  ];
  glucose.modules = [
    ({
      sops.secrets.binary-cache-secret = { };